Offenders often use domain names sharing the same registration characteristics when planning out their attacks. Instead of using different names, contact information, addresses, and other details during (bulk) registration, cybercriminals have the tendency to use the same pseudonym or, sometimes, even real information. This makes it possible to track them, at least to some extent, through WHOIS records.
In fact, a powerful way to establish relationships between registrants’ information and domains is through reverse WHOIS lookups. This technique empowers not just cybersecurity researchers, but also website owners and marketing professionals to make their analyses more insightful.
For example, a simple reverse WHOIS search query using 'University of Oxford' as an input lets users find 459 domains with the name somewhere mentioned in their WHOIS records, therefore indicating a connection to this respected organization. Certainly, a similar search for a malicious actor can be performed with the same simplicity.
By linking suspicious domains all pertaining to the same registrant, reverse domain lookups enable cybersecurity specialists to curb crime, such as fraud and cybersquatting, as well as to prevent damaging Domain Name System (DNS) attacks and information loss. Besides, reverse domain lookups also have indispensable applications in marketing research, as they allow users to discover new business opportunities.
Interested to find out more? Here are two tools you can use for said purposes.
Two Useful Tools for Performing Reverse Domain Lookups
While there are various options available to conduct reverse domain lookups, some tools are superior to others when it comes to accuracy and data completeness. In particular, access to historical records is of the utmost importance due to the introduction of the General Data Protection Regulation (GDPR) and the Internet Corporation for Assigned Names and Numbers (ICANN)’s Temporary Specification, which has been responsible for incomplete WHOIS records.
However, it is still possible to dig deeper into historical WHOIS records using the reverse domain lookup tools such as the ones described below.
Reverse WHOIS Search is a user-friendly research platform that lets users retrieve all domains connected to a given identifier, such as a company name, an email address, or a phone number. The tool is part of the Domain Research Suite (DRS), which means users have to log in to the suite’s dashboard for access.
Once in, they can enter pretty much any search term they’d expect to find in a WHOIS record. The tool scans its database of over 7 billion historical WHOIS records to pull up all related domains. From there, users can build a WHOIS or historical WHOIS report for any result. Reports are also available for download in PDF format.
Because no pre-programming is required, it is suitable for users without any coding skills or who are not as tech-savvy as infosec professionals. Web developers and marketers are among the application’s target users. However, the tool can still be a great addition to any security analyst’s tool set.
Reverse WHOIS API works the same way as Reverse WHOIS Search, except that it comes in a different format. With just a registrant’s name, email address, or phone number, the API can scan the connected database to retrieve any domain names linked to a user’s search term. Users can integrate the API into security information and event management (SIEM), security orchestration, automation, and response (SOAR), and business intelligence applications. The results returned can be viewed in JSON and XML formats.
For a quick demo of how it works, visit the Reverse WHOIS API homepage and enter a search term. Users can use any identifier from a WHOIS record that is related to the domain under investigation. After pressing Enter, the tool yields a relevant list of domains that match the search term.
Reverse WHOIS lookup tools help lift the burden of cybersecurity research. With both options featured in this post, they can effectively get a list of domains that have been registered using the same identifiers. This can serve as a starting point for finding associations between domains, their owners, and malicious entities.